Yokogawa Mitigates CENTUM, Exaopc Holes

Wednesday, December 3, 2014 @ 04:12 PM gHale

Yokogawa and JPCERT mitigated an authentication vulnerability for the Yokogawa CENTUM CS 3000 series and Exaopc products, according to a report on ICS-CERT.

Tod Beardsley of Rapid7 Inc. and Jim Denaro of CipherLaw discovered the remotely exploitable vulnerability and released proof-of-concept exploit code.

Exploits that target this vulnerability are publicly available.

Emerson Updates RTU Mitigations
Elipse Fixes SCADA DNP3 DoS
Siemens Updates WinCC Fixes
MatrikonOPC Mitigates Vulnerability

The following Yokogawa CENTUM 3000 versions suffer from the issue:
• CENTUM series with the Batch Management Packages installed
• CENTUM CS 3000 (R3.09.50 or earlier)
• CENTUM CS 3000 Entry Class (R3.09.50 or earlier)
• CENTUM VP (R4.03.00 or earlier, R5.04.00 or earlier)
• CENTUM VP Entry Class (R4.03.00 or earlier, R5.04.00 or earlier)

The following Yokogawa Exaopc version is affected:
• Exaopc (R3.72.10 or earlier)

Successful exploitation of this vulnerability could allow an attacker to read and write arbitrary files.

Yokogawa is a company based in Japan that maintains offices in several countries around the world, including North and Central America, South America, Europe, the Middle East, Africa, South Asia, and East Asia.

The affected products, CENTUM CS 3000, are Windows-based control systems. According to Yokogawa, these products see action across several sectors, including critical manufacturing, energy, food and agriculture, and others. Yokogawa estimates there are 7,600 systems worldwide.

CENTUM’s BKBCopyD.exe service starts if the Batch Management Packages end up installed and listens by default on Port 20111/TCP. There is a no authentication, which makes it possible to abuse several operations provided by the service in order to:
• Leak the CENTUM project database location
• Read arbitrary files
• Write arbitrary files

This vulnerability is different than CVE-2014-0784, reported in March 2014.

CVE-2014-5208 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 6.8.

An attacker with a low skill would be able to exploit this vulnerability.

Yokogawa has provided patch software for the vulnerable latest revision of Exaopc and all the CENTUM systems. Yokogawa technical support and services will have the details on installation and patch availability questions.

Yokogawa also suggests all customers introduce appropriate security measures to the overall system, not just for the vulnerability identified.

For more information, please see Yokogawa Security Advisory Report YSAR-14-0003E, published September 17.

Yokogawa also recommends the following firewall mitigation measures:
• Block external data communications from outside of the control system network on Port 20111/TCP
• Allow internal traffic on Port 20111/TCP only for the CENTUM systems installed with Batch Management Packages
• Block the traffic on Port 20111/TCP to Exaopc installations

Leave a Reply

You must be logged in to post a comment.